AWS has introduced Cost Anomaly Detection, a new feature now in beta driven by machine learning that pledges to notify admins of “unexpected or unusual spend”.

Bill shock is a problem suffered, on occasion, by small and big AWS customers alike. At the small end, there are cases like that of Chris Short, using AWS for his Content Delivery Network (CDN) to scale his website at a cost of around $23.00 per month. One morning he woke up to a bill of $2,657.68, thanks to sharing a 13.7GB file that proved unexpectedly popular. At the other end, the average organisation is over budget for cloud spend by an average of 23 per cent, as we reported here.

While puzzling out what specific cloud services will cost can be a challenge, the big cloud providers are pretty good at showing you where your money has gone with them individually. AWS has a Cost Management service which includes reports, budgets and recommendations, to which the company is now adding Cost Anomaly Detection.

Creating a Cost Monitor for AWS Anomaly Detection

This is configured by adding a Cost Monitor to an AWS account. There are four types of monitor. The generic AWS Services monitor is fully automated. The Linked Account monitor is specific to other AWS accounts linked to an organisation. A Cost Category monitor evaluates spend for a specific category as labelled by the administrator. Finally, a similar Cost Allocation Tag monitor evaluates spend for services with a specific cost tag.

Why cloud costs get out of control: Too much lift and shift, and pricing that is ‘screwy and broken’

READ MORE

Once the type of Cost Monitor is selected, admins set an alert threshold, which is the minimum size of an anomaly that will be notified, the frequency of alerts from as they arise to daily or weekly, and a Simple Notification Service (SNS) through which the alerts are sent. Daily or weekly summaries are sent by email to up to 10 recipients, but admins who opt for individual summaries must go through SNS. This is inexpensive and the first 1,000 emails, or 100 SMS messages, per month are free. Each AWS account can create one AWS Service monitor and up to 101 additional cost monitors.

How good is the anomaly detection? That is the key question and one only customers will be able to answer. The detection engine runs around three times a day and after billing data is processed, which means there is some (potentially expensive) delay. It is driven by a machine learning model, indicaitng scope for both under and over-reporting, but the service is expected to improve as the model is refined.

People may wonder whether it is really in the interests of AWS to provide a service that helps customers spend less money. It is true that, like every company, the cloud providers are always trying to persuade their users to adopt new services or add premium features. That said, none of the experts we have spoken to think that there is deliberate confusion marketing – where pricing is deliberately complex so that customers spend more than they intend – or that providers like having their users waste money. The counter argument holds more sway, that the providers want satisfied customers. The current high demand for cloud services makes this position an easy one to hold.

Anomaly detection is not the complete answer to overpaying. After all, if an organisation paid more than it needed to last month, it is not an anomaly if it does so again. ®

Apple is apparently so skint that it has had to resort to freebie versions of machine-based translation services for its Dutch legalese.

Spotted by a Register reader browsing the small print behind the company’s services, the text “Vertaald met www.DeepL.com/Translator (gratis versie)” can be found lurking just above the “DEFINITIE VAN APPLE” section in the terms-and-conditions doc.

For those not versed in Dutch, that means something like “Translated with www.DeepL.com/Translator (free version)”.

Apple’s Dutch legalese

We’d give you our own definition of Apple, but that’s possibly how we wound up on the company’s naughty step.

DeepL Translator [PDF] was first released in August 2017, with the free service (presumably the one that has found favour within Cupertino) being supplemented by DeepL Pro in March 2018. An application to integrate with Windows and macOS arrived in September 2019.

Sadly, it appears that for Apple, maker of the $999 iPhone 11 Pro and $5,999 Mac Pro, the €39.99 per month/per user of DeepL’s “Ultimate” tier subscription is just a little too much. Even the €5.99 tier is a step too far.

Odd, because by opting for the freebie incarnation, Apple has elected to skip DeepL’s maximum data security level for its translation (with end-to-end encryption and immediate text deletion). Stranger still, the recent iOS 14 update added an Apple-built translation app to iPhones. Maybe they should have used that.

The Register contacted Apple to find out why a link to a free translation service had found its way into its terms and conditions. We’re shocked, shocked, to report that the company has yet to respond.

DeepL has also not responded to our request for comment.

A quick look at old versions of the page shows that the translation credit appeared relatively recently, presumably when the likes of Fitness+ were crowbarred in. Apple Fitness+ costs $9.99 a month, a little more than how much DeepL asks per month for its basic tier.

It could be worse. The translation-based snafu could have ended up on a road sign.

As for our reader? He noted: “The translation is rather poor, I didn’t expect this kind of work from Apple.”

If the quality of recent software from the fruity branded biz is anything to go by, this is exactly the sort of thing we’ve come to expect. ®

Uber has won an appeal against Transport for London’s decision not to renew the ride-hailing app biz’s licence for the English capital, ending a three-year tussle between the pair.

The ruling is the culmination of a hearing at Westminster Magistrates’ Court that ran a fortnight ago from 14 to 17 September, with deputy chief magistrate Tan Ikram declaring today: “Despite [Uber’s] historical failings, I find them, now, to be a fit and proper person to hold a London PHV (private hire vehicle) operator’s licence.”

He added that he did, however, “wish to hear from the advocates on conditions and on my determination as to the length of a licence”.

Uber had itself wanted a five-year licence but, as things stand, has an 18-month license.

The company has yet to comment publicly.

The head-to-head between Uber and TfL kicked off in September 2017 when the authority said private operators needed to meet “rigorous regulations” that are “designed to ensure passenger safety”, and Uber had fallen short of these.

This related to a hole in Uber’s systems that allowed unauthorised drivers to upload their pictures to official drivers’ accounts. Thousands of passenger journeys were undertaken in which the passenger thought their driver was someone else and that driver was not insured. Trips were also made by drivers TfL had previously banned as another hole in the system allowed them to create new accounts with Uber.

The way enhanced Disclosure and Barring Service checks were carried out had also concerned TfL, and the authority claimed Uber had failed to detail its use of Greyball software that could block regulatory bodies from getting full access to its app.

Tim Ward, QC for Uber London Ltd, said during the court proceedings that the company had made technical improvements, including to its governance and document systems.

Judge Ikram said that Uber had presented “no real challenge to the facts as presented by TfL” but he reckoned Uber “challenged the suggestion that breaches were not taken seriously and any suggestion of bad faith on their part”.

He added that in respect of document and insurance fraud, “Uber now seem to be at the forefront of tackling an industry-wide challenge.”

Unsurprisingly, the Licensed Taxi Drivers Association (LTDA) branded today’s decision a “disaster”.

“Uber has demonstrated time and time again that it simply can’t be trusted to put the safety of Londoners, its driver and other road users above profit. Sadly, it seems that Uber is too big to regulate effectively, but too big to fail.

“By holding up their hands and finally accepting some responsibility, Uber has managed to pull the wool over the eyes of the court and create the false impressions that it has changed for the better. A leopard doesn’t change its spots and we are clear that Uber’s underlying culture remains as toxic as it has ever been.”

The App Drivers and Couriers Union (ADCU) claimed the decision had secured the jobs of 43,000 drivers employed by Uber, but it wants to see Uber and TfL learn lessons from the case.

“Uber drivers pay the company 25 per cent of every fare and in return are entitled to expect the company to operate the business in a safe and compliant manner,” said Yaseen Aslam, ADCU president. “Instead Uber has put profit first and placed the livelihood of 43,000 workers at risk.

“It is time for the Mayor of London to break up the Uber monopoly by limiting the number of drivers allowed to register on the Uber platform. The reduced scale will give both Uber and Transport for London the breathing space necessary to ensure all compliance obligations – including workers’ rights – are met in the future.”

Following TfL’s 2017 rejection of Uber’s operator’s licence applications, the biz was granted a 15-month provisional licence in June 2018, and a further two months were granted in September 2019 before TfL decided in November last year that Uber shouldn’t get that licence back.

Updated on 29 September at 12.13 BST to add:

Following publication of this article, Uber sent us a statement:

Jamie Heywood, Uber regional general manager for Northern & Eastern Europe, said: “This decision is a recognition of Uber’s commitment to safety and we will continue to work constructively with TfL. There is nothing more important than the safety of the people who use the Uber app as we work together to keep London moving.”®

In Brief Foreign-backed disinformation campaigns will spread fake news about the results of the upcoming US election in an effort to sow doubt and outrage among the American public.

This is according to an alert issued by the FBI and Department of Homeland Security this week. The two agencies believe that in the immediate aftermath of the presidential election on November 3, Americans will be bombarded with false stories about the vote tally, reports of voter fraud, and other issues that would stoke division as the country awaits official election results – a process that could take weeks.

Unlike the 2016 election, when most of the disinformation was sprayed out in the run-up to the vote, this cycle will aim to even make people question whether the results of the vote are valid, the alert states. People are urged to check their facts carefully with multiple sources and on official government websites.

“The increased use of mail-in ballots due to COVID-19 protocols could leave officials with incomplete results on election night,” the agencies warned.

“Foreign actors and cybercriminals could exploit the time required to certify and announce elections’ results by disseminating disinformation that includes reports of voter suppression, cyberattacks targeting election infrastructure, voter or ballot fraud, and other problems intended to convince the public of the elections’ illegitimacy.”

ATM skimming crew busted

The DOJ has indicted nine people it says operated a string of ATM skimmer operations netting more than $100,000 in theft.

The crew, it is said, placed “skimmer” devices over the card readers of ATMs and collected the card information of people who used the kiosks. They would then yank the skimmers and encode the data onto blank cards which they could use or sell to others.

This was done between March 2019 and June 2020 across a string of states in the southeastern US: Florida, Louisiana, Georgia, and Mississippi, as well as in New York state.

Each of the nine have now been indicted on one federal count of conspiracy to commit device fraud. Police have also reportedly arrested other suspected members of the gang.

You’re never going to believe this, but Cisco has patched some bugs

The latest patch bundle from Switchzilla is a hefty one, containing a total of 42 CVE-listed vulnerabilities across various networking gear.

Fortunately, none of the fixes are for issues deemed to be critical problems, but 29 are considered high risk and should be patched as soon as possible.p>

These include a firewall denial of service bug, a code execution flaw, and an arbitrary file overwrite in IOS XE appliances, two denial of service bugs in Aironet Access Points, and denial of service in the Catalyst 9200 series switches.

Teen hacker bags $25K payout for Instagram bug find

A 14 year-old Brazilian developer has netted himself a nice payday from Facebook, thanks to a critical bug find in Instagram.

Andres Alonso says that he stumbled upon the cross-site scripting flaw by accident while he was working on his own mobile app.

While wading through some integration code with Instagram’s AR filter creator, he figured out that someone could redirect the URL a filter links to without the user getting any notification. At the time, though, he couldn’t quite get a proof-of-concept to work and show it was a complete XSS vulnerability.

Stil, Alonso reported the issue to Facebook, whose security team confirmed that it was indeed a bug that would allow for dangerous cross-site-scripting and decided to award the teen a tidy $25,000 bounty. Facebook’s crew said the dodgy code could be used in an XSS attack against Instagram but reckoned it hadn’t been used in the wild.

“I have to thank Facebook for making a little push in my report escalating to an XSS,” he said.

It’s 2020, and we’re still trying Silk Road cases

It has been more than five years since Silk Road boss Ross Ulbricht was sent to prison for a double life sentence plus 40 years without the possibility of parole, and US authorities are still trying people tied to the notorious drugs market.

This time, it’s programmer Michael Weigand, who pled guilty to lying to federal investigators about his role in the market.

Specifically, Weigand admitted that he was actually involved in helping suss out potential security holes in the site and that he worked with both Ulbricht and Silk Road advisor Roger Thomas Clark.

Additionally, Weigand admitted to flying to London to meet one of Clark’s friends under the guise of starting a marijuana seed business, but instead going to Clark’s London residence to destroy evidence.

“When Weigand was questioned by law enforcement in 2019, he falsely claimed not to have done anything at all for Silk Road,” US Attorney Audrey Strauss. “For his various false statements, Weigand now faces potential prison time.” ®

Around 40 per cent of staff in British and American corporations have access to sensitive data that they don’t need to complete their jobs, according to recent research.

In a survey commissioned by IT security firm Forcepoint of just under 900 IT professionals, 40 per cent of commercial sector respondents and 36 per cent working in the public sector said they had privileged access to sensitive data through work.

Worryingly, of that number, about a third again (38 per cent public sector and 36 per cent private) said they had access privileges despite not needing them. Overall, out of more than 1,000 respondents, just 14 per cent from the private sector thought their org was fully aware of who had the keys to their employers’ digital kingdoms.

Carried out by the US Ponemon Institute, a research agency, the survey also found that about 23 per cent of IT pros across the board reckoned that privileged access to data and systems was handed out willy-nilly, or, as Forcepoint put it in a statement, “for no apparent reason”.

Access management is a critical topic for IT security bods, especially as COVID-19-induced remote working introduces challenges for the monitoring of data access and intra-org flows.

In a finding bound to shore up frontline workers’ opinions of each other, fully half of respondents (49 per cent public sector, 51 per cent private) expressed the view that users with elevated access privs would browse through data “because of their curiosity”, while just over 40 per cent thought their co-workers could be “pressured” to share login credentials.

More than half thought incident-based security tools yielded false positives as well as too much data “than can be reviewed in a timely fashion”, revealing that workers think gotta-log-em-all security tools may be more of an obstacle to finding and plugging system breaches – or malicious people exfiltrating valuable data.

“To effectively understand the risk posed by insiders, it takes more than simply looking at logs and configuration changes,” said Nico Popp, chief product officer at Forcepoint, in a canned statement.

“Incident-based security tools yield too many false positives; instead IT leaders need to be able to correlate activity from multiple sources such as trouble tickets and badge records, review keystroke archives and video, and leverage user and entity behaviour analytics tools. Unfortunately, these are all areas where many organizations fall short.”

The survey took responses from 755 UK and 1,128 American workers in the public and private sectors. ®

A month can be a long time in space exploration. Since we last spoke to Rocket Lab’s Peter Beck, scientists have published results that hint at life in the clouds of Venus, while Beck’s rocketeers popped a Photon demonstrator into Earth orbit.

CEO Beck talked with us about his plans for a privately funded Venus mission a month ago, but was careful with his words, laughing “otherwise I get headlines like ‘Pete’s searching for aliens'”.

The speculation generated by the Royal Astronomical Society press briefing a few short weeks later generated far more lurid copy about what might be floating about in the atmosphere of Venus. Beck’s passion for the mission remains, however, undimmed.

With Flight 14 safely away, replete with a surprise demonstrator of Rocket Lab’s Photon spacecraft, Beck was happy to go into detail on what he planned to launch to Venus in May 2023.

The mission profile is deceptively simple. The interplanetary version of the Photon will undertake a voyage of around 160-180 days to Venus. The probe will detach and, as Photon performs a flyby of the planet, plunge into the atmosphere at approximately 11 kilometres per second, transmitting data as it goes.

This is where the real fun starts.

“We get around 300 seconds of really interesting time in the region that everybody’s interested in,” explained Beck, “and the real challenge right now is the instrument. We’re going there to look for signs of life, and in order to design the instrument you have to make some assumptions about what that life is.”

Beck’s 27kg probe will indeed carry a single instrument weighing in at around 3kg, rather than the multitude of gadgets seen on other spacecraft. Instead of a single, big mission every decade or so, Beck plans to send a multitude of lighter, cheaper spacecraft, iterating the payload as results come in.

“It’s a different way of doing planetary science,” he asserted. “The approach I personally prefer is: ‘Let’s do a bunch of missions for tens of millions of dollars, and let’s do them really, really regularly, and frequently’.

“The ability to kind of increment the science is what’s really interesting. You can go there with a hypothesis, test your hypothesis, and go, ‘Well, that was wrong,’ and go back again, with a new hypothesis and iterate.”

Beck speculated that it might take 10 missions or more to conclusively prove things one way or another: “If we follow the traditional model… I haven’t got 100 years to wait, I want that question answered now!”

The numbers, in terms of the billion-dollar missions often seen heading to the stars, look good (comparatively speaking). Rocket Lab is charging NASA $10m for the lunar version of the Photon due to launch next year, including the Electron on which it will ride. The $30m-$50m for the more complex mission to Venus is, according to Beck, “a bargain”.

Of course, he would say that.

Beck expects to fly at least one more Photon before NASA’s lunar mission (“they’re just a drop-in for the kick stage,” he said, “as long as there is mass margin on the flight”) and more are planned in order to refine the design ahead of that first mission to Venus.

Having successfully returned to flight, Rocket Lab has a busy few months coming up. Its US launchpad will see its first mission once the paperwork for the abort system is complete and the second New Zealand facility is nearing completion. Additional launchpads might feature in the future if the company is asked for inclinations below 37 degrees.

It also hopes to see the Electron of Flight 17 return to Earth safely via parachute.

But looking for evidence of life on Venus is the ultimate name of the game. “What galvanised my interest in space,” said Beck, “is: ‘Are we alone? Is life in the universe unique, or is it prolific?’

“The evidence we have now is that we are the only life in the universe. If you can find life [or evidence of life] on Venus then you fundamentally change that data point.

“And if you have the capability to go and try and answer that question, it’s just totally unacceptable to not try.” ®

A cryptocurrency exchange called KuCoin says it has been cracked, with over $100m of assets misappropriated.

The Register last covered KuCoin when it was mentioned by the Bitcoin-burgling cybercrooks who hacked a bunch of prominent Twitter users.

The Seychelles-based outfit, founded in 2017, proudly boasts of its venture capital backers who clearly admire its services facilitating trading of “numerous digital assets and cryptocurrencies”. And on Saturday it advised users that it “detected some large withdrawals since September 26, 2020 at 03:05:37 (UTC+8)” and that an internal security audit revealed “part of Bitcoin, ERC-20 and other tokens in KuCoin’s hot wallets were transferred out of the exchange, which contained few parts of our total assets holdings. The assets in our cold wallets are safe and unharmed, and hot wallets have been re-deployed.”

The company also promised that any losses would be covered by insurance, but also advised that deposit and withdrawal services would be suspended pending a security review.

A later update included an FAQ in which customers asked why some of the withdrawals continued even after the first incident notification was posted. KuCoin assured customers it conducted those transactions itself and advised that restoration of withdrawal functions could take a week. In the volatile world of cryptocurrency, a week can be the difference between a win and a bust.

A Monday update, the latest, revealed the scale of the hack as KuCoin identified over $130m of assets. It also describes work among a number of crypto players to identify suspicious transactions, freeze transactions, and even lists some addresses suspected of involvement in the heist.

“KuCoin has been in touch with a growing number of industry partners to take tangible actions, thanks to all of you for your support!,” the statement concluded.

However, the latest statement does not offer any further information on the cause of the incident, remediation steps, or restoration times.

So there you have it, dear reader: a venture-backed startup, based in a tax haven, demonstrating the future of money in all its glory.

And in the background, China deciding that its own digital currency will be run only by its biggest banks with new payment players like Alibaba not allowed anywhere near its innermost workings. ®

Who, Me? The Register’s Who, Me? column dips a toe into the world of high finance and iffy numbers as a reader realises that freebies aren’t always A Good Thing.

“Tom”, for that is certainly not his name, was toiling away in the machinery of a large IT consultancy back at the start of the century, dealing with data migration and specialising in SAP systems.

“The company’s Random Project Allocator™ assigned me to a project at an internet provider,” he told us. For the purposes of this story, and for reasons that will become very clear, we’re going to call them “NaughtyCo”.

“The project,” Tom went on, “was to design, build, test, and install a new non-SAP-based billing and customer service system.”

A classic “large IT consultancy” project for sure, although this was the first time Tom and his team had laid hands on it. Another company had had an earlier crack at it, but the inevitable balls-up had resulted in a pulled go-live date.

“We had been called in to sort out the testing and data migration to get it over the line,” he explained. The heroes of the hour.

Tom was tasked with leading the data migration, performing a trial cutover to make sure things would work, and then pressing the big red button for the production environment. The data would then be reconciled.

Those expecting the usual oopsie involving mixing up test and production can relax. This wasn’t Tom’s first rodeo. He did, however, find something decidedly whiffy in NaughtyCo’s data.

We don’t need maintenance this often, surely? Pull it. Oh dear, the system’s down

READ MORE

Having worked out what the migration involved, Tom was dismayed to find that the previous effort was a mess of manual workarounds and what he charitably called “Excel-based wizardry” lurking behind the scenes. It was little wonder that things had been halted, and he and his team set about picking up the pieces.

It took a while, but eventually trials of the migration could be run. Tom produced a weekly report for management showing how many customers his system has successfully moved across, and how many had failed. The total came to several hundred thousand.

Unfortunately, Tom’s total was light by tens of thousands, according to a worried project manager. His figures must be wrong.

The customer count was significant since it was reported to the stock exchange and affected the value of the company. Perplexed, Tom went back to look at his figures in search of the missing customers.

“I checked the numbers and came to some interesting conclusions,” he said.

“Depending on your point of view we were both right. My figures represented the number of customers that paid money to NaughtyCo; the figure my boss was using represented the number of internet accounts. The difference was a surprisingly large number of staff accounts, test accounts, free accounts and inactive accounts.”

Well, this was a bit awkward. Feeding false information to the stock exchange smells a bit like fraud. Fortunately for Tom, “I had exposed the situation and not caused it.”

His boss was not happy and swore him to secrecy while she headed upstairs to discuss matters with the bigger bosses.

A plan was hatched. The company would spend the next few months gradually aligning the numbers reported to the stock exchange to match reality, but carefully so as to avoid frightening the horses. The tens of thousands of mystery accounts were shown the sharp end of the axe in the meantime.

As for Tom, “when we cutover to production the migration went smoothly and there were no more surprises regarding the number of customers.

“It just goes to prove the old adage that there are lies, damn lies, and statistics.”

Ever discovered an inconvenient truth? Did you nudge it under the carpet or sling it from the rooftops? Share all with an email to Who, Me? ®

Open-source software advocate Eric S Raymond has penned an argument that the triumph of Linux on the desktop is imminent because Microsoft will soon tire of Windows.

Raymond’s argument, posted to his blog late last week, kicked off with some frank admiration for Windows Subsystem For Linux, the tech that lets Linux binaries run under Windows. He noted that Microsoft is making kernel contributions just to improve WSL.

Raymond is also an admirer of software called “Proton“, an emulation layer that allows Windows games distributed by Steam to run under Linux.

Raymond rated Proton as “not perfect yet, but it’s getting close”.

His next item of note was Microsoft’s imminent release of its Edge browser for Linux.

That collection of ingredients, he argued, will collide with the fact that Azure is now Microsoft’s cash cow while the declining PC market means that over time Microsoft will be less inclined to invest in Windows 10.

“Looked at from the point of view of cold-blooded profit maximization, this means continuing Windows development is a thing Microsoft would prefer not to be doing,” he wrote. “Instead, they’d do better putting more capital investment into Azure – which is widely rumored to be running more Linux instances than Windows these days.”

Raymond next imagined he was a Microsoft strategist seeking maximum future profits and came to the following conclusion:

Over time, Raymond reckoned, Windows emulation would only be present to handle “games and other legacy third-party software”. And eventually Microsoft will get so focused on Azure, and so disinterested in spending money on Windows, that it will ditch even the Windows emulation layer.

“Third-party software providers stop shipping Windows binaries in favor of ELF binaries with a pure Linux API … and Linux finally wins the desktop wars, not by displacing Windows but by co-opting it.”

The end. ®

Webcast Whether you’re into cybersecurity or application development, you probably also like lists, which means you probably love the OWASP Top 10.

The list was first posted by the security non-profit back in 2003, and has been updated every few years since, securing its reputation as the first step for developers towards more secure coding.

The latest update is due this autumn, and needless to say, it comes amidst a time of extraordinary change, both in the world of infosec, and the wider world of tech and business.

Organizations are grappling with the existing challenges of digital transformation, the shift to the cloud and the continued industrialisation of cybercriminality and, more recently, the disruption caused by the sudden migration of large parts of the economy to home working.

Throw in the explosion in the use of open source components, the role of containers, and new approaches to integrating dev, sec and ops, and you’ve got a scarily wide attack surface for hackers to play with. So, before the results are read out, you really should join us on September 29, at 11am UK time for a webcast brought to you by F5 and dedicated to the OWASP Top 10.

El Reg’s broadcasting maestro Tim Phillips will be joined by F5’s senior threat research evangelist David Warburton, and together they’ll chewing over the context of this year’s upcoming list.

Yes, there will be insight on what changes to expect and whether there’s likely a new number one, or whether injection flaws are set to be the cybersec equivalent of Bryan Adams, Queen…or Drake.

But Tim and David will also dig deeper into why the OWASP Top 10 remains essential to maintaining your security posture, and how you can use it effectively to stay ahead of the curve – and the hackers and cybercriminals looking to exploit that same list of vulns.

They’ll also be exploring what the changing IT landscape – particularly that open source and cloud native shift – means for both the Top 10 and your own efforts to protect your organisation.

This all happens right here on El Reg. All you need to do is register here, and we’ll serve up Tim and David, to a screen near you, whether it’s at work, at home or somewhere in between.

Russia has taken the unusual step of posting a proposal for a new information security collaboration with the United States of America, including a no-hack pact applied to electoral affairs.

The document, titled “Statement by President of Russia Vladimir Putin on a comprehensive program of measures for restoring the Russia – US cooperation in the filed [sic] of international information security”, opens by saying “one of today’s major strategic challenges is the risk of a large-scale confrontation in the digital field” before adding: “A special responsibility for its prevention lies on the key players in the field of ensuring international information security (IIS).”

Russia therefore wants to reach agreement with the USA on “a comprehensive program of practical measures to reboot our relations in the field of security in the use of information and communication technologies (ICTs)”.

Putin suggested four actions could set the ball rolling:

• Resuming “regular full-scale bilateral interagency high-level dialogue on the key issues of ensuring IIS”.
• Establishing and maintaining “continuous and effective functioning of the communication channels between competent agencies of our States through Nuclear Risk Reduction Centers, Computer Emergency Readiness Teams and high-level officials in charge of the issues of IIS within the bodies involved in ensuring national security, including that of information”.
• Jointly developing “a bilateral intergovernmental agreement on preventing incidents in the information space similarly to the Soviet-American Agreement on the Prevention of Incidents On and Over the High Seas in force since 25 May 1972”. That agreement aimed to reduce the chance of a maritime incident between the then-USSR and the USA, and included de-escalation measures to stop an incident going nuclear.
• Exchanging “guarantees of non-intervention into internal affairs of each other, including into electoral processes, inter alia, by means of the ICTs and high-tech methods”.

Russia stands accused of interfering in the 2016 US presidential election with widespread use of fake social media accounts. The USA’s Federal Bureau of Investigations last week warned: “Foreign actors and cybercriminals could create new websites, change existing websites, and create or share corresponding social media content to spread false information in an attempt to discredit the electoral process and undermine confidence in US democratic institutions.” On 17 September FBI director Christopher Ray testified before the House Homeland Security Committee Events and named Russia as a nation already interfering in this year’s elections (video below).

Youtube Video

It is unclear if Russia’s document elicited a public response from the USA.

The two nations sought a cyber-détente in 2017, when Putin and Trump discussed a Cyber Security unit with unspecified functions and purposes.

Putin & I discussed forming an impenetrable Cyber Security unit so that election hacking, & many other negative things, will be guarded..

— Donald J. Trump (@realDonaldTrump) July 9, 2017

The effort was quickly explained away as a policy thought bubble that was floated without any accompanying detail. The idea deflated soon afterwards, leaving the two nations in their current state of uneasy enmity… ®

The fact that President Putin and I discussed a Cyber Security unit doesn’t mean I think it can happen. It can’t-but a ceasefire can,& did!

— Donald J. Trump (@realDonaldTrump) July 10, 2017

Made-in-China social video app TikTok has convinced a US judge it should remain in American app stores for the foreseeable future – dodging a ban that would have seen it expelled from Google Play and Apple’s app store from midnight on Sunday US time.

A Sunday order [PDF] by justice Carl J Nichols of the United States District Court for the District of Columbia granted an injunction sought by TikTok to keep its software available for new downloads or updates.

Downloads and updates to existing installations are among the “prohibited transactions” that the Trump administration says no US business will be allowed to conduct with TikTok and Tencent’s WeChat messaging service. Other prohibitions would prevent US carriers from carrying traffic to and from the apps.

TikTok last week sought an injunction against the ban on grounds that it violates constitutional rights to free speech and to petition the US government. WeChat already secured a stay of execution on similar grounds.

Justice Nichols’ order doesn’t explain why he decided to grant the injunction and his reasons for doing so are in a separate document that is currently sealed. His order therefore calls on the administration and TikTok to meet on Monday, US time, to read his reasoning and decide if it can be unsealed and released to the public.

The parties were also ordered to meet by Wednesday, 30 September, and “file a Joint Status Report proposing a schedule for further proceedings” and “address any other issues that they believe will be helpful to the Court”.

The order isn’t a huge win for TikTok because it could still lose in another court and still faces likely expulsion from the USA if the administration doesn’t sign off on its deal to be acquired by Oracle, WalMart and others.

US president Donald Trump has offered not-entirely-consistent views on whether the deal should be allowed to proceed, and is now rather busy trying to secure an unusually speedy confirmation of a Supreme Court Justice, preparing for the first of three presidential debates and fending off a bombshell report of systematic tax evasion – all while managing the most severe public health crisis in a century. ®